dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
61033
dougz
join:2005-10-28
Mechanicsville, VA

2 edits

dougz

Member

Solved -- VPN Blocking?

I'm a total noob at VPN. Searched this site and others without finding much help.

To get started, I got a free account at proxpn.com, partially due to Steve Gibson's (grc.com) recommendations. Tried using the login at a public library and found that proxpn.com site access was blocked by their sonicwall's rules, claiming it was due to hacking or tunneling potential.

How common is VPN blocking? Not sure if it is worth paying for VPN services if it will be hard to find hotspots that allow login.
dougz

dougz

Member

Re: VPN Blocking?

I did some more research. It would appear that some sites really lock down their nets against VPN.

If I understand correctly, it would appear that VPNs which support SSL/SSTP can sneak through those sorts of firewalls.

Here's a relatively simple explanation (source -- »www.intl-alliance.com/st ··· alth-vpn)
Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and routers and cannot be blocked.

SSTP servers must be authenticated during the SSL phase. SSTP clients are authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP.

SSTP is available in Windows Vista Service Pack 1 and Windows 7 operating systems only. It is fully integrated with the RRAS architecture in these operating systems.

With regards to the SSTP Super Stealth VPN Technology, here is what happens when you initialize this type of connection:

1.) TCP connection is established from client to server (by default on port 443).
2.) SSL validates server certificate. If certificate is valid connection is established otherwise connection is torn down.
3.) The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
4.) PPP negotiation over SSTP. Client authenticates to the server and binds IP addresses to SSTP interface
5.) SSTP tunnel is now established and packet encapsulation can begin.
Using »www.bestvpn.com/comparison-tool/ it appears that a number of VPNs support SSL/SSTP.

I haven't had a chance to test any. Anyone have experience or recommendations?
PrntRhd
Premium Member
join:2004-11-03
Fairfield, CA

PrntRhd to dougz

Premium Member

to dougz
I know school districts that typically block all ports by default and only open those required to conduct school business. That includes all the common SSL and VPN ports, GMail port 587 and more.
The libraries may or may not block. I have had mixed results with WiFi locations at coffee shops, some allow, some block.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to dougz

MVM

to dougz
said by dougz:

How common is VPN blocking?

Depends entirely on said hotspot's policy and level of how much they don't want this stuff running around.
Considering it's THEIR network, they can un/block whatever they want, so keep in mind YMMV about VPNs
and hotspots.

I only recently heard of SSTP, so haven't had any experience with it. My background's mostly IPSec and SSL VPNs.

Regards
dougz
join:2005-10-28
Mechanicsville, VA

dougz

Member

Thanks for the feedback. I didn't realize how hit-or-miss VPN was.

Cellular net access is looking better and better to me.
dougz

1 recommendation

dougz

Member

Solved my problem. Here's what I've learned, in case it help someone else.

It turns out that "Stealth VPN" was what I needed to get around the Sonicwall system my public library uses. I succeeded in connecting with Open VPN via port 443 (SSL).

I searched for VPN providers that supported "Stealth VPN" and Linux. VPN Reactor was highly recommended. My other finalists were Astrill, TorGuard, and AceVPN.

AceVPN allowed me to purchase a one month subscription (free trials are available if you jump through a few hoops) and was only US $5.95. Bought a month. (Consensus seems to be that free VPNs are worthless.)

Installed AceVPN on Crunchbang Linux Statler & Waldorf (Debian Old Stable & Stable/Wheezy). Since Crunchbang has Network Manager & OpenVPN installed by default, configuration was quite simple.

Tried using three different AceVPN sites/servers. First worked fine. Second timed out. Third was fine.

Tip: Do the installation on a network where VPN providers are not blocked by IP address or Deep Packet Inspection. After install, use on other nets.

Observations about AceVPN:
-- Negative review on www.bestvpn.com. I searched for other reviews and they were generally positive. My experiences have been generally positive. YMMV.

-- AceVPN accepts payment via PayPal and Google. No automatic renewal. Email to customer 7 days before expiration. Premature renewals are extended to include unused days. Cheaper for quarterly, half yearly, and yearly. Seemed businesslike.

-- Documentation is sparse, but adequate. Probably not optimal for computer newbie, but I had no problems.

-- I bought the cheaper "Premium" tier. Limited to 50 GB. More than adequate for my modest needs.

-- Did not use customer support, forums, or knowledge base. No need.

-- Only tried Linux. Supports Windows, Linux, Mac, iOS, Android, routers, etc.

-- Speed seems adequate. I watched about 30 minutes of streaming video from twit.tv while doing other things on the computer. No issues.
I'm a happy camper. I can use my comfortable public library's WiFi securely for less than US $6 a month. Should be usable at most public WiFi sites that are reasonably open.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to dougz

MVM

to dougz

Re: Solved -- VPN Blocking?

SSTP got me interested last night exactly who / where it came from... turns out it's MS' take on SSL VPN,
so there's nothing new there if you've ever dealt with an SSL VPN, and yes, SSL VPN vendors LOVE bragging in
their marketing materials "port 443, run anywhere!," though given my job -- network admin for an international
firm -- I call bulls**t on that claim given the amount of proxying, loadbalancing, firewalling, IDS/IPSing,
virtualizing, etc people do with their networks these days, and how many SSL VPN connectivity tickets I've had
to reengineer to get to work.

...I digress though.

Something caught my eye though, you especially mention your library's internet... is your interest in VPNs
driven by your desire to circumvent their AUP policy, or do you have a legitimate reason why you're interested
in setting up a VPN connection for yourself?

Regards
dougz
join:2005-10-28
Mechanicsville, VA

dougz

Member

Re: HELLFIRE
Something caught my eye though, you especially mention your library's internet... is your interest in VPNs driven by your desire to circumvent their AUP policy, or do you have a legitimate reason why you're interested in setting up a VPN connection for yourself?
No issues with the library's AUP.

I just used the library as a handy place to learn how to set up a VPN connection on a public WiFi. The Sonicwall block was a complete surprise to me. (Told you I was a Noob at VPN.)

I've used SSL connections on public WiFi before, but I've become increasingly aware that it is a risky practice. So I wanted to learn how to use public WiFi safely -- with a VPN.

My future use of VPN on the library's WiFi will probably be restricted to ebook loans via Overdrive & Amazon with an occasional email check thrown in.

It was an excellent learning experience, however.

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

DrStrange to HELLFIRE

Premium Member

to HELLFIRE
*note to self - check our public wi-fi to make sure common VPN ports [along with 443] are throttled to 2Mbps*